Created on 09-20-2023 07:51 AM Edited on 11-15-2024 01:29 AM By Anthony_E
Description
This article describes the issue of full disk utilization.
Scope
FortiDeceptor.
Solution
First, if the decoys are not configured with a reset after the attacks, this might cause such an issue. Because the attack might download or install any malware that keeps increasing the disk utilization.
So while creating the decoys make sure that the rest option is enabled and it is possible to configure the time period to rest the decoy after the attack.
Second, in FortiDeceptor version 4.1 and lower, if the deployment network is configured with a trunk port with a huge traffic volume this issue will cause disk utilization because there is a feature to analyze all the traffic passing through the deployment network, the temporary traffic content can be accumulated to high disk usage when the traffic comes in faster than clearing the temporary content.
There are three solutions:
The first solution is to configure the traffic outside FortiDeceptor to only allow lower volume traffic to FortiDeceptor, such as limiting the VLANs in the trunk port or only connecting FortiDeceptor to the access port;
The second solution is to upgrade to version 4.2 or higher. Starting from 4.2, it is disabling the analysis feature for all traffic but only for the traffic for decoys, which will reduce the temporary content size a lot.
It is recommended to proceed with the second solution which is an upgrade to 4.2 or higher.
The third solution is to run command data-purge -k<N> which will automatically purges data older than the specified number of days where N represents 1-365 days.
For example, to purge data older than 10 days:
data-purge -k10
This option cannot be used with other options.
Note:
It is recommended to configure the data purge retention even if there is no disk utilization because at some point it will reach this issue and the only solution is to delete the old data.